25 June 2018

F5 BIG-IP ASM - Brute Force and Web Scraping

Today, I want to write
about two mitigation mechanisms
that, I think, they are not used enough in enterprises. First, brute
force attacks can be stopped
easily with the free tool fail2ban
but we can also use WAF appliances
for blocking this kind of attacks.
On the other hand, web
scraping attackscan also be stopped easily with WAF
appliances
butmost IT
engineers don’t know it
and, therefore, their web sites are not protected from competitors.
These are two attacks that we can mitigate
with F5 BIG-IP ASM.

Brute force attacks are
attempts to discover
credentials to break into services such as web services, file
services or mail services. For example,
malicious users and bots may be interested
to get into secure areas and, as
a result, they’ll need
to discover legitimate credentials.
How does F5
ASM protect web sites against brute force attacks? We have to define
a login page, for instance user_login.php, and, thereafter, we
have to apply the brute force protection to the security policy to
know what to do when a brute force attack is detected. We can watch
the configuration in the next video:

Web scraping attacks are sophisticated attacks
whose aim is to obtain large amounts of data from web sites to
extract proprietary data directly out of HTML such as price tracking,
directory listings to get leads and marketing information, searching
images, financial information, etc. How does
F5 ASM protect companies against web
scraping attacks? We have to enable Bot Detection and, thereafter,
we have to configure interval
and period times to detect bots. For example, if a client loads 30
different pages in 30 seconds, it will be unusual and it will be
defined as a bot. We can watch the
configuration in the next video:

However, there are some
times that we may also want
to deny access by countries because we are detecting too much attacks
which come from a
specific origin country. Carefully, if we
don’t have customers or potential customers in such country, we’ll
be able to deny traffic from the “malicious” country. In
addition, we’ll be also able to deny traffic from Anonymous
Proxies. How does F5 ASM protect web
applications by geolocation? It is easy.
We’ll define disallowed location and allowed location into the
security policy. That’s all! We can watch
the configuration in the next video:

Regards my friends and
drop me a line with the first thing you are
thinking.